The goal of this project is to use the BeagleBoard as an USB sniffer. The host computer would be connected to the slave USB port of the BeagleBoard, and the device to be sniffed on the host USB port.

The goal of this project is to use the BeagleBoard as an USB sniffer. The host computer would be connected to the slave USB port of the BeagleBoard, and the device to be sniffed on the host USB port.

−

The BeagleBoard would then forward USB data, while logging it.

+

The BeagleBoard would then forward USB data, while logging it. In basic terms, there is a proxy driver running on the BeagleBoard, that acts both as a USB slave, and claims a USB device. According to the device descriptor, endpoints are activated on the USB slave controller, and packets are then forwarded back and forth between the host and the device.

−

This presents the following advantages over a software-based solution: No software modification is required; support of proprietary OSes; allows debugging of new USB stacks; and possibly lower-level debugging of USB frames...

+

This presents the following advantages over a software-based solution: No software modification is required; support of proprietary OSes; allows debugging of new USB stacks... However, this doesn't allow low-level debugging of USB transactions, that a hardware solution would allow. Also, the solution can only be as reliable as the USB host controller driver (which is well tested), and as the USB device controller driver (the MUSB driver in the Linux still has some bugs).

−

== Build and run instructions ==

+

== Build instructions ==

+

+

Latest recommended branches:

+

* Kernel tree:

+

**<tt>stable-20100726</tt> [http://gitorious.org/beagleboard-usbsniffer/beagleboard-usbsniffer-kernel/commits/stable-20100726], OR

+

**<tt>stable-20100809</tt> [http://gitorious.org/beagleboard-usbsniffer/beagleboard-usbsniffer-kernel/commits/stable-20100809]: this version may fix some problems with some devices, but will affect performance, for example when used with USB mass storage devices.

* Do not reconfigure the kernel (unless you need some extra modules): the git tree comes with a ready-made <tt>.config</tt>.

+

* Compile and install the kernel.

+

** Make sure your environment is set properly (at least <tt>CROSS_COMPILE=arm-angstrom-linux-gnueabi-</tt> and <tt>ARCH=arm</tt> should be set)

+

** Run <tt>make uImage</tt>.

+

** Copy the resulting <tt>uImage</tt> on the SD card.

+

* Compile and install the kernel modules

+

** <tt>make modules</tt>

+

** To install the modules, the easiest is probably to set <tt>INSTALL_MOD_PATH</tt> to some directory on your host computer, run <tt>make modules_install</tt>, and copy the modules to the SD card, or via the network.

+

** Note: in some cases, I had problem with the kernel not finding modules. In that case, run <tt>depmod -a</tt> on the BeagleBoard, and reboot.

+

* Install libpcap-1.1.1 and tcpdump-4.1.1.

+

** If you don't have a recent enough OpenEmbedded install, the recipes can be found in these 2 commits: [http://git.openembedded.org/cgit.cgi/openembedded/commit/?id=7b9e14891f7d69b5376041fc15df3d5f13f41855] and [http://git.openembedded.org/cgit.cgi/openembedded/commit/?id=d4f0fb310f7d40f7a50f50fb12083fa258aa1eed]: apply these 2 commits, or update your OpenEmbedded distribution to the latest git.

+

** Build libpcap and tcpdump, this can be done with a command like <tt>bitbake libpcap tcpdump</tt> provided you have the environment set properly (i.e., source <tt>~/.oe/environment</tt> or use <tt>oebb.sh</tt>).

+

** The 2 packages can be found in <tt>$OE_BASE/build/tmp-angstrom_2008_1/deploy/glibc/ipk/armv7a</tt>: <tt>libpcap_1.1.1-r1.5_armv7a.ipk</tt> and <tt>tcpdump_4.1.1-r1.5_armv7a.ipk</tt>.

+

** Copy these on the BeagleBoard, and run <tt>opkg install <i>name</i>.ipk</tt> for both packages.

* Plug your device (through a USB hub if it is a low/full-speed device).

+

* Run <tt>./sniff</tt>, and follow the instructions. Data transfers will be logged to <tt>/media/ram/dump</tt>. This resulting file can be displayed using wireshark.

+

* Use the device, it should work, and packets are captured.

−

* Clone my kernel git tree. Use the <tt>stable-20100702</tt> branch.

+

or the manual way (mostly for testing purpose, as it does not log packets):

−

* Compile the kernel with the default beagleboard configuration (see [[BeagleBoard#Linux_kernel]]). You just need to add <tt>CONFIG_USB_G_PROXY=m</tt>. I also disabled MUSB in host and OTG mode, as well as USB suspend, but this may not be necessary.

+

−

* Install the new kernel on the board.

+

−

* Clone the helper scripts git tree, and copy the content of the arm directory to the BeagleBoard (you need to modify load/setup scripts if you do not have have a copy of <tt>musb_hdrc.ko</tt> and <tt>g_proxy.ko</tt> in the same directory).

+

* Run <tt>./setup</tt> on the BeagleBoard, this will unload the <tt>g_ether</tt> gadget driver.

* Run <tt>./setup</tt> on the BeagleBoard, this will unload the <tt>g_ether</tt> gadget driver.

* Plug your device (through a USB hub if it is a low/full-speed device).

* Plug your device (through a USB hub if it is a low/full-speed device).

|style="background-color:#c0ff00; font-style:bold" align="center"|OK<br>(but needs some hacks)<br>(audio+video at the same time doesn't work)

+

|style="background-color:#c0ff00; font-style:bold" align="center"|OK<br>(audio+video at the same time doesn't work)

−

|<tt>stable-20100702</tt>

+

|<tt>>stable-20100717</tt>

−

| No visible problem (video 640x480 OR audio), but needs some hacks: <tt>musb_hdrc</tt> parameters: <tt>fifo_mode=6 use_dma=0</tt>, the FIFO mode is required, because EP1 needs 768 bytes per packet (and the default is only 512). The DMA doesn't handle short ISO packets properly, so it has to be disabled.<br>

+

| No visible problem (video 640x480 OR audio). Needs <tt>musb_hdrc</tt> parameter <tt>fifo_mode=6</tt>. The FIFO mode is required, because EP1 needs 768 bytes per packet (and the default is only 512). The DMA has been fixed to handle ISO packets properly.<br>

−

Enabling both video + audio at the same time doesn't work (bandwidth allocation problem, but this may be a USB hub problem).

+

Enabling both video + audio at the same time doesn't work (bandwidth allocation problem, but this is probably an USB hub problem).

One major problem with the device emulation model, using a proxy driver, is about bandwidth allocation.

+

+

The USB is polling-based, that is, the controller regularly interrogates all the endpoints of all the devices attached to it.

+

+

When a new USB device is added, some bandwidth is allocated for each of its endpoints, depending on some polling interval and packet size defined in the device descriptor. This bandwidth allocation defines the polling schedule, across all the endpoints, for all the devices present on the bus.

+

+

If insufficient bandwidth is available, the device may not work. For isochronous endpoints, the device usually defines several interfaces, with different bandwidth requirements (i.e., different packet sizes), and the driver can choose the appropriate interface, according to the bandwidth available on the bus.

+

+

One of the problems that could occur with our proxy driver, is that the host may decide to allocate more bandwidth than the bandwidth available on the USB host controller of the BeagleBoard. In that case, bandwidth allocation may fail on the BeagleBoard (with an <tt>ENOSPC</tt>, or <tt>-28</tt> error), and transfers on the affected endpoint would not work. From my experience, this seems to happen only with full-speed devices, that cannot be connected directly to the BeagleBoard, and need an intermediate USB hub.

== MUSB testing code ==

== MUSB testing code ==

Line 115:

Line 190:

Some instructions on how to use the code to trigger the MUSB bug with short isochronous packets:

Some instructions on how to use the code to trigger the MUSB bug with short isochronous packets:

−

* Checkout [[http://gitorious.org/beagleboard-usbsniffer/musb-test]].

+

Checkout [http://gitorious.org/beagleboard-usbsniffer/musb-test|http://gitorious.org/beagleboard-usbsniffer/musb-test]. There are 2 directories: <tt>host</tt>, and <tt>device</tt>.

−

* There are 2 directories:

+

+

For the device side (on the beagleboard), you need to cross-compile <tt>usbtest</tt>. You need <tt>libaio</tt>, which can be built using Angstrom, and <tt>gadgetfs</tt> in the Linux kernel. Then, the gadgetfs driver is loaded as follows:

+

+

modprobe gadgetfs

+

mkdir /dev/gadget/ -p

+

mount -t gadgetfs none /dev/gadget

+

./usbtest -v -s 512 -p 2 -a 1 -I0 -x 18

+

+

The host code must be run on your host PC. It requires the <tt>usbtest</tt> module (<tt>CONFIG_USB_TEST=m</tt>), then isochronous IN transfers are tested with the following command:

+

./testusb -a -t 16 -g 1 -c 10

+

+

While running the test, you can monitor the USB traffic using usbmon, you should see isochronous packets of length 18, i.e., something like this:

Contents

Abstract

The goal of this project is to use the BeagleBoard as an USB sniffer. The host computer would be connected to the slave USB port of the BeagleBoard, and the device to be sniffed on the host USB port.

The BeagleBoard would then forward USB data, while logging it. In basic terms, there is a proxy driver running on the BeagleBoard, that acts both as a USB slave, and claims a USB device. According to the device descriptor, endpoints are activated on the USB slave controller, and packets are then forwarded back and forth between the host and the device.

This presents the following advantages over a software-based solution: No software modification is required; support of proprietary OSes; allows debugging of new USB stacks... However, this doesn't allow low-level debugging of USB transactions, that a hardware solution would allow. Also, the solution can only be as reliable as the USB host controller driver (which is well tested), and as the USB device controller driver (the MUSB driver in the Linux still has some bugs).

No visible problem (video 640x480 OR audio). Needs musb_hdrc parameter fifo_mode=6. The FIFO mode is required, because EP1 needs 768 bytes per packet (and the default is only 512). The DMA has been fixed to handle ISO packets properly.

Enabling both video + audio at the same time doesn't work (bandwidth allocation problem, but this is probably an USB hub problem).

Known issues

Bandwidth allocation

One major problem with the device emulation model, using a proxy driver, is about bandwidth allocation.

The USB is polling-based, that is, the controller regularly interrogates all the endpoints of all the devices attached to it.

When a new USB device is added, some bandwidth is allocated for each of its endpoints, depending on some polling interval and packet size defined in the device descriptor. This bandwidth allocation defines the polling schedule, across all the endpoints, for all the devices present on the bus.

If insufficient bandwidth is available, the device may not work. For isochronous endpoints, the device usually defines several interfaces, with different bandwidth requirements (i.e., different packet sizes), and the driver can choose the appropriate interface, according to the bandwidth available on the bus.

One of the problems that could occur with our proxy driver, is that the host may decide to allocate more bandwidth than the bandwidth available on the USB host controller of the BeagleBoard. In that case, bandwidth allocation may fail on the BeagleBoard (with an ENOSPC, or -28 error), and transfers on the affected endpoint would not work. From my experience, this seems to happen only with full-speed devices, that cannot be connected directly to the BeagleBoard, and need an intermediate USB hub.

MUSB testing code

Some instructions on how to use the code to trigger the MUSB bug with short isochronous packets:

For the device side (on the beagleboard), you need to cross-compile usbtest. You need libaio, which can be built using Angstrom, and gadgetfs in the Linux kernel. Then, the gadgetfs driver is loaded as follows: